Uploaded image for project: 'OpenShift Hive'
  1. OpenShift Hive
  2. HIVE-3007

TLS minimum version 1.3 for hiveadmission pods

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • TLS 1.3
    • To Do
    • Product / Portfolio Work
    • OCPSTRAT-769Universally configurable TLS Cipher list
    • 100% To Do, 0% In Progress, 0% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • None

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal


      • TLDR: All OpenShift components must enforce consistent TLS 1.3 configuration by OCP 4.22 GA.  This mandatory security effort requires checking for quantum-safe ML-KEM key encapsulation support in TLS 1.3 mode.  

      • PQC support in OCP requires TLS 1.3. We have three documented places to configure TLS profiles. All OpenShift components (and layered products) should conform to the TLS configuration defined in one of those three places. While enforcing this configuration, check for quantum-safe ML-KEM key encapsulation support when running in TLS 1.3 mode. And this is mandatory by OCP 4.22. 

      • This is a release blocker for OCP 4.22.
      • One key requirement for enabling PQC with TLS is support for TLS 1.3. This support must be consistent and enforced adequately across the platform. As our customers have only three ways to configure TLS profiles and as they can configure custom TLS profiles, the point is not only to switch defaults from TLS 1.2 to TLS 1.3, it is to ensure that whatever a customer configures [0] is enforced throughout the platform.

       

      • Having a centrally managed configuration will help with future TLS changes as new PQC algorithms are finalized and adopted. Part of the acceptance criteria is to ensure that your component, when using TLS 1.3, defaults to the ML-KEM quantum-safe key encapsulation mechanism.

      Why is this important?

      Scenarios

      1. ...

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Related Material

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              Unassigned Unassigned
              mworthin@redhat.com Mike Worthington
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: